Shor's Algorithm Breaking Public Key Cryptography
Shor\
Learning Objectives
Explain how Shor's algorithm exploits quantum mechanics to break public-key cryptography
Quantify the specific resource requirements for attacking secp256k1 (XRPL's default)
Compare quantum attack costs for different cryptographic schemes (RSA, ECC, hash functions)
Calculate the gap between current quantum computers and CRQC capability
Assess realistic attack scenarios and their operational constraints
In 1994, mathematician Peter Shor proved that a sufficiently powerful quantum computer could solve two mathematical problems exponentially faster than any classical computer:
- **Integer Factorization** — Breaking RSA encryption
- **Discrete Logarithm Problem** — Breaking Diffie-Hellman and elliptic curve cryptography
This wasn't speculation or theory—it was a mathematically proven algorithm. The only question was when quantum computers would be powerful enough to run it.
Thirty years later, we still lack that capability. But the gap is closing. Understanding exactly what Shor's algorithm requires—and what it doesn't—is essential for rational planning.
Key Insight
Shor's algorithm is a precision tool, not a magic wand. It breaks specific mathematical problems underlying public-key cryptography. It does NOT break hash functions (SHA-256), symmetric encryption (AES), or make all cryptography obsolete. For XRPL holders, the relevant target is secp256k1—and the resource requirements are specific and quantifiable.
Every XRPL account has a cryptographic key pair:
XRPL Account Structure:
├── Private Key: 256-bit random number (secret)
│ └── Controls your funds—proves ownership
├── Public Key: Derived from private key via elliptic curve multiplication
│ └── Used to verify signatures
└── Address: Hash of public key (rXXX... format)
└── Where funds are sent
Security Dependency:
├── Given private key → trivially compute public key
├── Given public key → computationally impossible to derive private key
└── This one-way function IS the security
XRPL uses the secp256k1 elliptic curve (same as Bitcoin). The security relies on one mathematical assumption:
- Public key Q = k × G (where k is private key, G is generator point)
- Given Q and G, find k
- This is the Elliptic Curve Discrete Logarithm Problem (ECDLP)
Classical Difficulty:
Best Classical Attack (Pollard's Rho):
├── Complexity: O(√n) operations where n ≈ 2^256
├── Effective complexity: O(2^128) operations
├── Time estimate: ~10^28 years with all Earth's computers
└── Status: Computationally infeasible foreverThis is why your XRP is safe today. Classical computers cannot solve this problem in any reasonable timeframe.
Shor's algorithm provides an exponential speedup:
Shor's Algorithm Complexity:
├── Classical best: O(2^(n/2)) for n-bit curve
├── Shor's algorithm: O(n³) polynomial time
├── For 256-bit curve:
│ ├── Classical: ~2^128 operations
│ └── Quantum: ~256³ ≈ 16 million operations
└── Speedup factor: ~10^32 (incomprehensibly faster)This isn't incremental improvement—it's a complete change in computational complexity class.
You don't need to understand the mathematics to grasp the key concepts.
Shor's algorithm transforms cryptographic problems into period-finding problems, which quantum computers solve efficiently.
Analogy:
Imagine trying to find the combination to a lock with 2^256 possible combinations. Classical computers try combinations one by one (or with some clever shortcuts). Shor's algorithm doesn't try combinations—it exploits quantum interference to make wrong answers cancel out and correct answers amplify.
Shor's Algorithm (Simplified Steps):
1. Prepare superposition of all possible values (quantum parallelism)
2. Perform modular exponentiation (embeds problem structure)
3. Apply Quantum Fourier Transform (reveals hidden period)
4. Measure result (collapses to answer with high probability)
5. Classical post-processing to extract private keySuperposition: Process all possible private key candidates simultaneously
Interference: Mathematical structure causes wrong answers to cancel
Entanglement: Correlations between qubits maintain coherent computation
Classical vs. Quantum Approach:
Classical Computer:
├── Try candidate k₁ → Check if k₁ × G = Q → No → Discard
├── Try candidate k₂ → Check if k₂ × G = Q → No → Discard
├── ... repeat 2^128 times (impossible)
└── Time: Longer than universe's age
Quantum Computer (Shor's):
├── Prepare superposition of all 2^256 candidates simultaneously
├── Quantum operations cause wrong answers to interfere destructively
├── Correct answer interferes constructively (amplifies)
├── Measurement yields correct private key with high probability
└── Time: Polynomial in key size (hours to days with CRQC)
The Quantum Fourier Transform (QFT) is the key quantum operation that reveals the hidden period. Think of it as:
- Classical Fourier Transform finds frequency patterns in signals
- QFT finds mathematical patterns in superposition states
- The period of the discrete logarithm problem reveals the private key
Critical Requirement: The QFT requires maintaining coherent superposition across thousands of qubits through billions of operations. Any decoherence destroys the interference pattern and ruins the computation.
Multiple peer-reviewed studies have estimated the logical qubits needed:
Logical Qubit Estimates for secp256k1 (256-bit curve):
Source | Logical Qubits | Notes
---------------------------------|----------------|------------------
Roetteler et al. (2017) | 2,330 | Standard estimate
└── Formula: 9n + 2⌈log₂(n)⌉+10| where n=256 |
| |
Häner et al. (2020) | 2,124 | Qubit-optimized
└── Trade: More gates for | | fewer qubits
| |
Gate-optimized variant | 2,619 | Fewer gates, more qubits
| |
Depth-optimized variant | 2,871 | Faster, more qubits
| |
Theoretical lower bound | ~523 | Aggressive estimate
└── Formula: 2⌈log₂(n)⌉+2+... | | (may not be practical)
| |
Conservative consensus | 2,330-2,500 | Planning target
XRPL Impact: All XRPL accounts use secp256k1 or Ed25519
└── Ed25519 uses 255-bit curve, similar requirements (~2,300 logical qubits)
- Physical error rate of quantum hardware
- Target logical error rate for the algorithm
- Error correction code used (typically surface code)
Physical Qubit Overhead Estimates:
Scenario | Physical/Logical | Total Physical Qubits
----------------------------|------------------|----------------------
Optimistic (λ=10, low err) | ~1,000:1 | ~2-3 million
Moderate (λ~2-3, mid err) | ~4,000:1 | ~10 million
Conservative (λ~2, high err)| ~8,000:1 | ~20 million
Aggressive attack (1 hour) | Very high | ~317 million
Current Best Hardware (2024):
├── Google Willow: 105 physical qubits
├── IBM Condor: 1,121 physical qubits
├── Gap to CRQC: 10,000× to 3,000,000× depending on scenario
Breaking secp256k1 isn't instant—even with CRQC:
Estimated Attack Duration:
Physical Qubits | Attack Duration | Notes
----------------|-----------------|---------------------------
~317 million | ~1 hour | Highly parallel, expensive
~13 million | ~1 day | Gidney-Ekerå style optimization
~6 million | ~1 week | Fewer qubits, longer runtime
~1 million | ~1 month+ | Minimal viable CRQC
For Context:
├── XRPL transaction finality: 3-5 seconds
├── Bitcoin block time: 10 minutes
├── Attack window: Time between public key exposure and confirmation
└── Implication: Fast attacks require MORE qubits
Kudelski Security introduced a unified metric: megaqubit-days
Megaqubit-Days for secp256k1:
Attack Parameters:
├── Surface code cycle: 200 ns (5 MHz)
├── Physical error rate: 10^-5 (better than current)
├── Target success probability: 99%
Result: ~10^7 megaqubit-days
├── Interpretation: 10 million qubits running for 1 day
├── Or: 1 million qubits running for 10 days
├── Or: 100,000 qubits running for 100 days
└── Current capability: ~0.001 megaqubit-days (gap: ~10^10×)
A counterintuitive finding: RSA-2048 may be easier to break than secp256k1.
Quantum Attack Resource Comparison:
Algorithm | Security Bits | Logical Qubits | Physical Qubits*
---------------|---------------|----------------|------------------
RSA-2048 | ~112 bits | ~1,730-4,096 | ~20 million (8 hrs)
RSA-3072 | ~128 bits | ~2,500-6,000 | ~30+ million
secp256k1 (ECC)| ~128 bits | ~2,330-2,500 | ~10-317 million
Ed25519 | ~128 bits | ~2,300 | ~10-300 million
*Physical qubits depend heavily on target attack time and error rates
Key Insight:
├── ECC keys are smaller because classical attacks are harder
├── Quantum attacks have similar complexity for both
├── RSA's larger keys don't provide proportional quantum resistance
└── Both are vulnerable; timeline is the question, not whether
Shor's algorithm does NOT break hash functions. Grover's algorithm provides only quadratic (not exponential) speedup:
Hash Function Security Under Quantum Attack:
Algorithm | Classical Security | Grover's Speedup | Post-Quantum Security
------------|-------------------|------------------|----------------------
SHA-256 | 2^256 preimage | √(2^256) = 2^128 | Still 2^128 (secure)
SHA-256 | 2^128 collision | ∛(2^128) ≈ 2^85 | Reduced but viable
RIPEMD-160 | 2^160 preimage | √(2^160) = 2^80 | Borderline
MD5 | Broken classically | N/A | Already insecure
XRPL Address Security:
├── Addresses are SHA-256 hashes of public keys
├── Grover's attack: 2^128 operations still needed
├── This remains infeasible even with quantum computers
└── Address security is NOT the vulnerability
XRPL Quantum Vulnerability Assessment:
Component | Algorithm | Shor? | Grover? | Risk Level
------------------------|----------------|-------|---------|------------
Private keys | secp256k1/Ed25519| YES | No | CRITICAL
Transaction signatures | ECDSA/EdDSA | YES | No | CRITICAL
Multi-signature schemes | ECDSA/EdDSA | YES | No | CRITICAL
Address derivation | SHA-256+RIPEMD | No | Minimal | LOW
Ledger hash chain | SHA-512 | No | Minimal | LOW
Escrow conditions | Depends | Maybe | Maybe | MODERATE
Critical Path:
└── Public key → Shor's algorithm → Private key → Steal funds
└── This is THE quantum threat to XRPL
XRPL addresses hide public keys until the first transaction:
Attack Window Analysis:
Scenario A: Never-transacted address (cold storage)
├── Public key: Hidden (only address visible)
├── Attack surface: Must break SHA-256 hash (infeasible)
└── Quantum risk: MINIMAL
Scenario B: First transaction broadcast but not confirmed
├── Public key: Exposed in mempool
├── Attack surface: Shor's algorithm on exposed key
├── Time window: Seconds to minutes
├── Quantum risk: HIGH (if CRQC exists AND is fast)
Scenario C: Historical transaction (key already exposed)
├── Public key: Permanently exposed on ledger
├── Attack surface: Shor's algorithm (no time pressure)
├── Time window: Unlimited
├── Quantum risk: CRITICAL for HNDL (harvest now, decrypt later)
Fast attacks require exponentially more resources:
Attack Speed vs. Resources Trade-off:
Attack Duration | Physical Qubits | Feasibility (2030s)
----------------|-----------------|---------------------
1 hour | ~300 million | Extremely unlikely
1 day | ~10-20 million | Unlikely but possible
1 week | ~2-5 million | More plausible
1 month | ~500K-1 million | Possible with CRQC
Implication for XRPL:
├── XRPL confirms transactions in 3-5 seconds
├── "Race" attack (break key before confirmation) needs <1 minute
├── Would require ~1 billion+ physical qubits
├── Conclusion: Race attacks are NOT the primary threat
└── HNDL attacks on already-exposed keys are the real risk
The most realistic threat model:
HNDL Attack Timeline:
Phase 1: Harvest (Happening Now)
├── State-level adversaries record blockchain data
├── All exposed public keys are captured
├── Low cost, passive collection
└── Builds target database for future
Phase 2: Store (Ongoing)
├── Data stored indefinitely
├── Cost: Trivial compared to CRQC development
└── No time pressure
Phase 3: Decrypt (Future - When CRQC Available)
├── Run Shor's algorithm on stored public keys
├── Derive private keys for high-value targets
├── Steal funds or blackmail holders
└── Targets: Long-term holdings with exposed keys
Defense Strategy:
└── Migrate to quantum-resistant addresses BEFORE Phase 3
Likely CRQC Development Order:
1. Nation-State Programs (Most Likely First)
1. Large Technology Companies (2nd)
1. Well-Funded Criminal Organizations (3rd)
Investment Implication:
├── First CRQC users likely won't attack cryptocurrency
│ └── Nation-states have higher-priority targets (military, infrastructure)
├── BUT: Technology proliferation eventually enables criminal access
└── Timeline: 10-20 years from first CRQC to widespread threat
Current State vs. CRQC Requirements:
Metric | Current Best | CRQC Need | Gap Factor
--------------------|------------------|------------------|------------
Physical qubits | 1,121 (IBM) | 10-300 million | 10,000-300,000×
Logical qubits | 1-2 (Google) | 2,330 | 1,000-2,000×
Error rate/cycle | 0.143% (Google) | <0.001% | ~100×
Coherence time | ~500 μs (SC) | Hours (effective)| ~10,000×
Gate fidelity | 99.9% | 99.99%+ | 10× improvement
Summary: Current quantum computers are approximately 10,000× to 100,000×
short of CRQC capability across multiple dimensions simultaneously.
CRQC Timeline Scenarios (for breaking secp256k1):
Scenario | Probability | CRQC Date | Key Assumptions
-------------------|-------------|------------|------------------
Rapid Breakthrough | 5-10% | 2030-2032 | Major discovery,
| | | exponential progress
| | |
Steady Progress | 45-55% | 2035-2040 | Current trajectory,
(BASE CASE) | | | incremental improvements
| | |
Slower Than | 30-40% | 2045+ | Scaling harder than
Expected | | | expected, plateaus
| | |
Fundamental | 5-10% | Never | Physical limits prevent
Barrier | | | CRQC
Planning Recommendation:
├── Begin migration planning: Now (2024-2025)
├── Start active migration: 2028-2030
├── Complete migration: 2035 (before base case CRQC)
└── Maintain monitoring: Adjust timeline based on developments
✅ Small-scale demonstrations work. Shor's algorithm has been run on quantum computers to factor small numbers (up to ~21). The algorithm works; scale is the limitation.
✅ Resource estimates are converging. Multiple independent research groups estimate 2,000-2,500 logical qubits for secp256k1. This is a well-understood target.
⚠️ Algorithm improvements. New optimizations continue to reduce resource requirements. Future breakthroughs could accelerate timelines.
⚠️ Classified capabilities. Nation-state quantum programs may be significantly ahead of public knowledge.
🔴 Waiting for certainty before acting. By the time CRQC is confirmed, it may be too late for orderly migration.
🔴 Ignoring HNDL threat. Exposed public keys are vulnerable TODAY to future attack. The harvest phase is already happening.
Shor's algorithm WILL break XRPL's current cryptography—secp256k1 and Ed25519—given sufficient quantum computing power. The resource requirements are well-characterized: 2,330 logical qubits or ~10-300 million physical qubits. Current hardware (1,000 physical qubits) is 10,000× to 100,000× short. The most likely timeline is 2035-2045, with meaningful probability (10-20%) of earlier emergence. Rational response: begin preparation now, execute migration over the next 5-10 years, monitor continuously.
Assignment: Build a quantitative model to assess quantum threat progression.
- Calculate logical qubits needed for secp256k1 using formula 9n + 2⌈log₂(n)⌉ + 10 where n=256
- Physical qubit overhead at different error rates (λ = 2, 5, 10)
- Total physical qubits for attack durations (1 hour, 1 day, 1 week, 1 month)
- Track physical qubit counts (IBM, Google, IonQ, Quantinuum)
- Best logical qubit demonstrations
- Calculate gap factors for each metric
- Assume qubit count doubling time scenarios (12, 18, 24 months)
- Project years to reach 10 million physical qubits
- Create bull/base/bear timeline scenarios
Time Investment: 3-4 hours
1. Shor's algorithm breaks secp256k1 by solving:
A) The hash collision problem
B) The elliptic curve discrete logarithm problem (ECDLP)
C) The traveling salesman problem
D) The quantum decoherence problem
Answer: B — Shor's algorithm solves ECDLP. Given Q = k × G, it finds private key k.
2. Approximately how many logical qubits are needed to break secp256k1?
A) About 50-100
B) About 500-1,000
C) About 2,000-2,500
D) About 10,000-50,000
Answer: C — Multiple papers estimate 2,124-2,619 logical qubits, with ~2,330 commonly cited.
3. Why is SHA-256 address derivation NOT vulnerable to Shor's algorithm?
A) SHA-256 is quantum-resistant by design
B) Shor's algorithm only works on factoring and discrete log problems, not hash functions
C) XRPL uses quantum-resistant SHA-256
D) Address derivation doesn't use cryptography
Answer: B — Shor's exploits mathematical structure of factoring/DLP. Hash functions lack this structure.
4. An XRPL address has never transacted. Its quantum risk is:
A) Critical—private key derivable from address
B) High—public key exposed on ledger
C) Low—public key hidden behind hash
D) Zero—quantum computers can't affect blockchain
Answer: C — Public key isn't exposed until first transaction. Breaking the hash remains infeasible.
5. HNDL threat is most concerning for:
A) Never-transacted addresses
B) Frequent trading addresses
C) Long-term holdings with exposed public keys
D) Ed25519 addresses vs secp256k1
Answer: C — Exposed keys with long-term holdings give unlimited time for future attacks.
- Shor, P. "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer" (1994)
- Roetteler et al. "Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms" (2017)
- Gidney & Ekerå "How to Factor 2048-bit RSA Integers in 8 Hours Using 20 Million Noisy Qubits" (2021)
- Kudelski Security "Quantum Attack Resource Estimate" (2021)
Next Lesson: Grover's Algorithm—quantum threats to hash functions and symmetric cryptography.
End of Lesson 3
Total words: ~4,200
Estimated time: 55 min reading + 3-4 hours deliverable
Key Takeaways
Shor's algorithm is the specific quantum threat.
It breaks the ECDLP underlying secp256k1 in polynomial time. This is proven mathematics, not speculation.
Resource requirements are quantifiable.
Breaking secp256k1 needs ~2,330 logical qubits or ~10-300 million physical qubits, depending on attack speed.
Current quantum computers are ~10,000× short.
The gap is real but closing. Current best: ~1,000 physical qubits, ~1 logical qubit.
Hash functions remain secure.
Shor's algorithm doesn't break SHA-256. XRPL addresses (hashes of public keys) are not directly vulnerable.
HNDL is the realistic threat model.
Already-exposed public keys face future risk. The harvest phase may already be underway. ---